|
|
United States-English | |
|
|
 |
|
HP DCE/9000 Version 1.6: Planning and Configuring HP DCE 1.6 > Chapter 1 About HP DCE/9000 Version 1.6
HP Password Management Server |
|
|
A Password Management Server implements policies for password strength. Sites can implement site-specific policies by writing their own Password Management Server, and attaching appropriate Extended Registry Attributes (ERAs) to the principals that are subject to these policies. A Password Management Server must implement the interface described in dce/rsec_pwd_mgmt.idl. In order to be configurable by dce_config or DCM, the Password Management Server must conform to the following guidelines:
Password Management Server sources are supplied in/opt/dce/share/hpexam. These are the sources used to build the Password Management Server supplied with the HP DCE release. Certain files that contain proprietary SecureWare algorithms have been omitted, but stubs are supplied that allow the resulting server to build. Note that certain values of the pwd_SecureWare_chk ERA (specifically, values 1 and 2) are unsupported, and will result in failures to pass strength checking if you attempt to use the example server as described in the documentation. The logfile entry will report that the pwd_SecureWare_chk level is not supported. The source code directory for pwd_mgmt and the files in it are installed write protected. To build this application, copy the files into a private, writable directory you create. This way the original files will continue to be available for you or others to consult. cd to the private, writable directory
where you copied the source files and type: Your system's /bin/make command should successfully build the client and server programs using the Makefile provided, if modified as above. Unlike the other sample applications, where you are encouraged to generate a new UUID when you make modifications, you must not make changes to rsec_pwd_mgmt.idl. secd is linked with the client stub for the rsec_pwd_mgmt interface so changing the interface UUID will cause communication problems between secd and your Password Management Server. The dce_config and pwd_config files supplied with this DCE release are set up to configure and start up a Password Management Server that conforms to the guidelines listed above. In order to have the policies implemented by any Password Management Server apply to a given principal, the administrator must attach instances of the following two Extended Registry Attributes to the principal's node in the DCE Registry: pwd_val_type The pwd_val_type attribute controls the type of password management that applies to a given principal. The values are: 0 — Check passwords entered by this principal using the DCE Registry policy only. 1 — Check passwords entered by this principal using the Password Management Server. 2 — Principal may either choose a password (which is then checked with the Password Management Server), or can use a password that has been generated by the Password Management Server (no additional strength checking is done). 3 — Principal must use a password generated by the Password Management Server. The HP Account Manager can facilitate the administration of ERAs. pwd_mgmt_binding attribute The pwd_mgmt_binding attribute specifies the binding to the Password Management Server that will be used for this principal. In future releases, more than one Password Management Server may be supported, but for now, the value of the pwd_mgmt_binding attribute must always be:
pwd_SecureWare_chk HP's default implementation of the Password Management Server uses an additional Extended Registry Attribute to control the level of strength checking algorithm that will be applied to a given principal. The values are: 0 — Use DCE Registry algorithm only (such as, depending on DCE registry policies, check password length, blanks, alphanumeric). 1 — In addition to checking against the DCE Registry algorithm, use a proprietary SecureWare algorithm that verifies the password meets certain tests for non-triviality (not a circular shift of the principal's name or its reverse, contains at least 2 alphanumeric characters, contains at least one non-alphanumeric character). 2 — In addition to the two previous checks, use a proprietary SecureWare algorithm that verifies the password is not a word (and is not a palindrome, does not contain the same characters as any group or principal name in the DCE Registry, and is not found in the spell program's dictionary). If a principal does not have an instance of pwd_SecureWare_chk attached, then the Password Management Server uses the DCE Registry algorithm only. The example Password Management Server does not support values 1 or 2 for pwd_SecureWare_chk, since these use proprietary SecureWare algorithms. If a principal is configured with a pwd_SecureWare_chk value of 1 or 2, the principal will be unable to change passwords, and the logfile /var/ opt/dce/security/pwd_strength.log will report that the pwd_SecureWare_chk level is not supported. An example of a dcecp command for configuring a principal with these attributes is:
You must set the minimum length of the password using the
DCE Registry policies: Examples of other DCE Registry password policy attributes in dcecp syntax are: : {pwdalpha no} : {pwdspaces no} : {pwdexpdate none} : {pwdlife unlimited effective 5 days} Only the pwdminlen, pwdalpha, and pwdspaces attributes are checked by the Password Management Server; the DCE Registry checks the remaining attributes itself. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
